Team for Research in
Ubiquitous Secure Technology

A distributed intrusion detection system for resource-constrained devices in ad-hoc networks
Adrian Lauf, William H. Robinson, Alan Peters

Citation
Adrian Lauf, William H. Robinson, Alan Peters. "A distributed intrusion detection system for resource-constrained devices in ad-hoc networks". Elsevier Ad-hoc Networks, 8(3):253-266, May 2010.

Abstract
This paper describes the design and implementation of a two-stage intrusion detection system (IDS) for use with mobile ad-hoc networks. Our anomaly-based intrusion detection is provided by analyzing the context from the application-level interactions of networked nodes; each interaction corresponds to a specific function or behavior within the operational scenario of the network. A static set of behaviors is determined offline, and these behaviors are tracked dynamically during the operation of the network. During the first stage of the IDS, our detection strategy employs the analysis of global and local maxima in the probability density functions of the behaviors to isolate deviance at the granularity of a single node. This stage is used to capture the typical behavior of the network. The first stage also provides tuning and calibration for the second stage. During the second stage, a cross-correlative component is used to detect multiple threats simultaneously. Our approach distributes the IDS among all connected network nodes, allowing each node to identify potential threats individually. The combined result can detect deviant nodes in a scalable manner and can operate in the presence of a density of deviant nodes approaching 22%. Computational requirements are reduced to adapt optimally to embedded devices on an ad-hoc network.

Electronic downloads

Citation formats  
  • HTML
    Adrian Lauf, William H. Robinson, Alan Peters. <a
    href="http://www.truststc.org/pubs/665.html" >A
    distributed intrusion detection system for
    resource-constrained devices in ad-hoc networks</a>,
    <i>Elsevier Ad-hoc Networks</i>, 8(3):253-266,
    May 2010.
  • Plain text
    Adrian Lauf, William H. Robinson, Alan Peters. "A
    distributed intrusion detection system for
    resource-constrained devices in ad-hoc networks".
    <i>Elsevier Ad-hoc Networks</i>, 8(3):253-266,
    May 2010.
  • BibTeX
    @article{LaufRobinsonPeters10_DistributedIntrusionDetectionSystemForResourceconstrained,
        author = {Adrian Lauf and William H. Robinson and Alan Peters},
        title = {A distributed intrusion detection system for
                  resource-constrained devices in ad-hoc networks},
        journal = {Elsevier Ad-hoc Networks},
        volume = {8},
        number = {3},
        pages = {253-266},
        month = {May},
        year = {2010},
        abstract = {This paper describes the design and implementation
                  of a two-stage intrusion detection system (IDS)
                  for use with mobile ad-hoc networks. Our
                  anomaly-based intrusion detection is provided by
                  analyzing the context from the application-level
                  interactions of networked nodes; each interaction
                  corresponds to a specific function or behavior
                  within the operational scenario of the network. A
                  static set of behaviors is determined offline, and
                  these behaviors are tracked dynamically during the
                  operation of the network. During the first stage
                  of the IDS, our detection strategy employs the
                  analysis of global and local maxima in the
                  probability density functions of the behaviors to
                  isolate deviance at the granularity of a single
                  node. This stage is used to capture the typical
                  behavior of the network. The first stage also
                  provides tuning and calibration for the second
                  stage. During the second stage, a
                  cross-correlative component is used to detect
                  multiple threats simultaneously. Our approach
                  distributes the IDS among all connected network
                  nodes, allowing each node to identify potential
                  threats individually. The combined result can
                  detect deviant nodes in a scalable manner and can
                  operate in the presence of a density of deviant
                  nodes approaching 22%. Computational requirements
                  are reduced to adapt optimally to embedded devices
                  on an ad-hoc network.},
        URL = {http://www.truststc.org/pubs/665.html}
    }
    

Posted by Adrian Lauf, Ph.D. on 29 Mar 2010.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.